Our Cybersecurity Programme

OUR APPROACH

By adopting a whole-of-organisation approach to managing cyber risks and data breaches, we remain committed to building robust cyber resilience and data protection controls. Key elements of our strategy include:

Review

Review

Perform proactive assessments and regularly update our information security and digital risk (including cyber and technology) and data protection framework, policies and standards. This ensures continuous alignment against evolving threats and regulatory requirements, supported by regular inspections to verify compliance.

Transform

Transform

Enhance prevention, detection, and response capabilities by deploying advanced security tools and solutions. These advancements improve security log collection and analysis to strengthen threat detection and enable timely mitigation.

React

React

Conduct regular vulnerability assessments and penetration tests on IT systems to identify and remediate vulnerabilities. We also perform cyber-related tabletop exercises, adversarial attack simulations, cyber range and disaster recovery tests to strengthen processes and controls, including business continuity, contingency and incident response plans. Our IT infrastructure and information security management systems are also subject to comprehensive internal and external audits to ensure ongoing compliance and robustness.

Develop

Develop

Promote a strong culture of cybersecurity and data protection awareness by engaging our employees through e-learning initiatives and the Cyber Smart Programme, a multi-year initiative. It aims to evaluate and strengthen employees’ knowledge, skills and behaviours in effectively managing risks related to cybersecurity, data protection, emerging risks and social engineering.

We have established policies and standards to support our risk management framework by integrating regulatory requirements and aligning with global industry guidelines. These policies address key areas such as risk management, information security, personal data protection and cyber resilience. To ensure effectiveness and relevance, the framework, policies and standards undergo regular review and are approved by senior risk committees, including the Group Information Security and Digital Risk Management Committee and the Board Risk Management Committee.

Information Security and Digital Risk Policy

This Policy establishes the control expectations for organisational responsibilities and specific domains of information security and digital risk domains, including technology and cyber risks. It aims to manage risks arising from internal and external threats to the Group’s information assets and personnel. These control expectations aim to ensure the confidentiality, integrity and availability of the Group’s information assets.
Acceptable Use Sub-Policy

This Policy defines the proper conduct and use of the Group's information assets, including technology equipment, information, software services and communication services.
Information Classification and Handling Sub-Policy

This Policy establishes the control expectations for ownership, classification and handling of information to protect against unauthorised access and disclosure.
Technology Security Standards

These Standards define the baseline security requirements for any technology or systems implemented and the cryptographic algorithm and processes that are acceptable to be adopted.
General Personal Data Protection Policy

This Policy institutionalises ten OCBC Data Protection Principles, which govern OCBC’s collection, use and disclosure of personal data. The OCBC Data Protection Principles (which include the Consent, Notification, Purpose Limitation, Protection, Retention Limitation, Access and Correction and Accountability Principles) are aligned with the requirements of the Data Protection Trustmark and APEC Cross Border Privacy Rules certifications, and local data protection laws. Designed to be jurisdiction-neutral, these principles establish a consistent baseline to facilitate trusted cross-border data transfers and oblige our business units to implement technical and organisational measures to protect personal data in their care.
Data Protection Policy

Our Data Protection Policy is publicly available and provides clear and transparent notice to individuals regarding the ways in which we collect, use and disclose their personal data. The policy makes it clear that we do not sell personal data, nor do we provide personal data to third parties except when it is legally acceptable or when we have the consent to do so. It provides a framework for the responsible collection, use, disclosure and retention of personal data while ensuring that individuals are notified of their rights to access, correct and withdraw consent to the further processing of their personal data.

Are you sure you want to leave our site?

You are leaving the OCBC Bank website and about to enter a third party website that OCBC Bank has no control over and is not responsible for. Before you proceed to use the third party website, please review the terms of use and privacy policy of their website. OCBC Bank’s Conditions of Access and Privacy and Security Policies do not apply at third party websites.
I would like to stayLeave website